At TechGasp we use payplans to manage our joomla subscriptions, no secret. A couple of days ago we found a security issue that affects payplans from version 3.2.x to 3.6.2 (huge array of versions in between). If you use payplans make sure to urgently upgrade to version 3.6.3.

Payplans IDOR exploit

To start, IDOR stands for Insecure Direct Object References. It basically occurs when an application provides direct access to objects based on user-supplied input. Attackers can bypass authorization and access resources in the system directly. Example, database records, sales values, files, etc. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Regarding TechGasp components, modules and plugins, to date no exploit was ever detected since we use joomla api, all our users can relax. Like we explained previously, we detected the IDOR exploit in payplans from stackideas and helped them fix the issue in the new payplans 3.6.3 version. You can take a look at their blog for more info, here’s a small extract.